Share via

credentials command group

Note

This information applies to Databricks CLI versions 0.205 and above. The Databricks CLI is in Public Preview.

Databricks CLI use is subject to the Databricks License and Databricks Privacy Notice, including any Usage Data provisions.

The credentials command group within the Databricks CLI allows you to manage credentials for accessing services on your cloud tenant. Each credential is subject to Unity Catalog access-control policies that control which users and groups can access the credential.

A credential represents an authentication and authorization mechanism for accessing services on your cloud tenant. To create credentials, you must be a Databricks account admin or have the CREATE SERVICE CREDENTIAL privilege. The user who creates the credential can delegate ownership to another user or group to manage permissions on it.

databricks credentials create-credential

Create a new credential. The type of credential to be created is determined by the purpose field, which should be either SERVICE or STORAGE.

The caller must be a metastore admin or have the metastore privilege CREATE_STORAGE_CREDENTIAL for storage credentials, or CREATE_SERVICE_CREDENTIAL for service credentials.

databricks credentials create-credential NAME [flags]

Arguments

NAME

    The credential name. The name must be unique among storage and service credentials within the metastore.

Options

--comment string

    Comment associated with the credential

--json JSON

    The inline JSON string or the @path to the JSON file with the request body

--purpose CredentialPurpose

    Indicates the purpose of the credential. Supported values: SERVICE, STORAGE

--read-only

    Whether the credential is usable only for read operations

--skip-validation

    Optional

Global flags

Examples

The following example creates a service credential named my-service-cred:

databricks credentials create-credential my-service-cred --purpose SERVICE

The following example creates a read-only storage credential:

databricks credentials create-credential readonly-storage --purpose STORAGE --read-only

databricks credentials delete-credential

Delete a service or storage credential from the metastore. The caller must be an owner of the credential.

databricks credentials delete-credential NAME_ARG [flags]

Arguments

NAME_ARG

    Name of the credential

Options

--force

    Force an update even if there are dependent services (when purpose is SERVICE) or dependent external locations and external tables (when purpose is STORAGE)

Global flags

Examples

The following example deletes a credential named my-service-cred:

databricks credentials delete-credential my-service-cred

The following example forces deletion of a credential with dependencies:

databricks credentials delete-credential my-storage-cred --force

databricks credentials generate-temporary-service-credential

Generate a temporary service credential using the specified service credential. The caller must be a metastore admin or have the metastore privilege ACCESS on the service credential.

databricks credentials generate-temporary-service-credential CREDENTIAL_NAME [flags]

Arguments

CREDENTIAL_NAME

    The name of the service credential used to generate a temporary credential

Options

--json JSON

    The inline JSON string or the @path to the JSON file with the request body

Global flags

Examples

The following example generates temporary credentials for a service credential:

databricks credentials generate-temporary-service-credential my-service-cred

databricks credentials get-credential

Get a service or storage credential from the metastore. The caller must be a metastore admin, the owner of the credential, or have any permission on the credential.

databricks credentials get-credential NAME_ARG [flags]

Arguments

NAME_ARG

    Name of the credential

Options

Global flags

Examples

The following example gets information about a credential named my-service-cred:

databricks credentials get-credential my-service-cred

databricks credentials list-credentials

List credentials. The list is limited to only the credentials that the caller has permission to access. If the caller is a metastore admin, retrieval of credentials is unrestricted. There is no guarantee of a specific ordering of the elements in the array.

databricks credentials list-credentials [flags]

Options

--max-results int

    Maximum number of credentials to return

--page-token string

    Opaque token to retrieve the next page of results

--purpose CredentialPurpose

    Return only credentials for the specified purpose. Supported values: SERVICE, STORAGE

Global flags

Examples

The following example lists all credentials:

databricks credentials list-credentials

The following example lists only service credentials:

databricks credentials list-credentials --purpose SERVICE

The following example lists credentials with a maximum of 10 results:

databricks credentials list-credentials --max-results 10

databricks credentials update-credential

Update a service or storage credential on the metastore.

The caller must be the owner of the credential or a metastore admin or have the MANAGE permission. If the caller is a metastore admin, only the owner field can be changed.

databricks credentials update-credential NAME_ARG [flags]

Arguments

NAME_ARG

    Name of the credential

Options

--comment string

    Comment associated with the credential

--force

    Force an update even if there are dependent services (when purpose is SERVICE) or dependent external locations and external tables (when purpose is STORAGE)

--isolation-mode IsolationMode

    Whether the current securable is accessible from all workspaces or a specific set of workspaces. Supported values: ISOLATION_MODE_ISOLATED, ISOLATION_MODE_OPEN

--json JSON

    The inline JSON string or the @path to the JSON file with the request body

--new-name string

    New name of credential

--owner string

    Username of current owner of credential

--read-only

    Whether the credential is usable only for read operations

--skip-validation

    Supply true to this argument to skip validation of the updated credential

Global flags

Examples

The following example updates a credential's comment:

databricks credentials update-credential my-service-cred --comment "Updated service credential"

The following example renames a credential:

databricks credentials update-credential my-service-cred --new-name my-renamed-cred

The following example changes the owner of a credential:

databricks credentials update-credential my-service-cred --owner someone@example.com

The following example makes a credential read-only:

databricks credentials update-credential my-storage-cred --read-only

databricks credentials validate-credential

Validate a credential.

For service credentials (purpose is SERVICE), either the credential_name or the cloud-specific credential must be provided.

For storage credentials (purpose is STORAGE), at least one of external_location_name and url need to be provided. If only one of them is provided, it will be used for validation. And if both are provided, the url will be used for validation, and external_location_name will be ignored when checking overlapping urls. Either the credential_name or the cloud-specific credential must be provided.

The caller must be a metastore admin or the credential owner or have the required permission on the metastore and the credential (e.g., CREATE_EXTERNAL_LOCATION when purpose is STORAGE).

databricks credentials validate-credential [flags]

Options

--credential-name string

    Required

--external-location-name string

    The name of an existing external location to validate

--json JSON

    The inline JSON string or the @path to the JSON file with the request body

--purpose CredentialPurpose

    The purpose of the credential. Supported values: SERVICE, STORAGE

--read-only

    Whether the credential is only usable for read operations

--url string

    The external location url to validate

Global flags

Examples

The following example validates a service credential:

databricks credentials validate-credential --credential-name my-service-cred --purpose SERVICE

The following example validates a storage credential with an external location:

databricks credentials validate-credential --credential-name my-storage-cred --purpose STORAGE --external-location-name my-external-location

Global flags

--debug

  Whether to enable debug logging.

-h or --help

    Display help for the Databricks CLI or the related command group or the related command.

--log-file string

    A string representing the file to write output logs to. If this flag is not specified then the default is to write output logs to stderr.

--log-format format

    The log format type, text or json. The default value is text.

--log-level string

    A string representing the log format level. If not specified then the log format level is disabled.

-o, --output type

    The command output type, text or json. The default value is text.

-p, --profile string

    The name of the profile in the ~/.databrickscfg file to use to run the command. If this flag is not specified then if it exists, the profile named DEFAULT is used.

--progress-format format

    The format to display progress logs: default, append, inplace, or json

-t, --target string

    If applicable, the bundle target to use